Vulnerability Disclosure

Last updated: April 14, 2026

As an all-in-one pentest management platform, Penarc is built by security professionals, for security professionals. We deeply understand the value of the independent security research community and are strictly committed to protecting our infrastructure and our clients' sensitive vulnerability data.

This Vulnerability Disclosure Policy outlines our expectations, safe harbor protections, and the process for reporting security issues found within the Penarc ecosystem.

1. Safe Harbor Agreement

Penarc strongly supports good-faith security research. If you make a genuine effort to comply with this policy during your testing, we consider your activities to be authorized.

Under this Safe Harbor agreement, Penarc will not initiate, recommend, or pursue legal action against you for your research. If a third party initiates legal action against you for activities conducted in compliance with this policy, we will formally make our authorization of your actions known.

2. Scope of Authorized Research

In-Scope Assets:

Out-of-Scope Assets:

  • Any infrastructure, services, or URLs operated by third-party vendors (e.g., Jira, hosting providers).
  • Any systems belonging to Penarc clients.

If you believe a critical system outside of this scope merits testing, please email us for explicit permission before proceeding.

3. Rules of Engagement

To ensure the stability of our platform and the privacy of our users, we require researchers to adhere to the following rules:

  • Do No Harm: You must make every effort to avoid privacy violations, data destruction, degradation of user experience, or disruption to production systems.
  • No Disruptive Testing: Network denial of service (DoS/DDoS), brute-forcing, and volumetric attacks are strictly prohibited.
  • No Social Engineering: Phishing, vishing, tailgating, or any physical attacks against Penarc facilities, employees, or users are unauthorized.
  • Stop on Sensitive Data: If you encounter sensitive data (including client vulnerability reports, PII, financial info, or proprietary code), you must stop testing immediately, notify us, and permanently delete any local copies. Do not exfiltrate data.
  • Limit Exploitation: Only use exploits to the extent necessary to confirm a vulnerability exists. Do not establish persistent access or use the exploit to pivot to internal networks.

4. Coordinated Disclosure & Embargo

We require a reasonable amount of time to triage and remediate vulnerabilities before they are disclosed publicly. By submitting a report, you agree not to publish exploits, proof-of-concept (PoC) scripts, or write-ups until Penarc has confirmed successful remediation and granted written permission for public disclosure.

5. Exclusions & Informational Findings

We welcome all valid reports, but low-impact or informational findings are generally not eligible for recognition or swag. Examples of excluded findings include:

  • Missing HTTP security headers (without a demonstrable impact).
  • SPF/DKIM/DMARC configuration issues.
  • Self-XSS or DOM XSS with low likelihood of exploitation.
  • Vulnerabilities with a CVSS v3/v4 score of less than 4.0.
  • Issues strictly requiring physical access to a user's unlocked device.

6. How to Submit a Report

If you believe you have discovered a vulnerability, please email us immediately at info@penarc.ai.

To help our engineering team triage your submission quickly, please include:

  • The specific URL or endpoint where the vulnerability exists.
  • A detailed description of the potential impact.
  • Step-by-step instructions to reproduce the issue (PoC scripts, video recordings, or screenshots are highly appreciated).

Expectation of Compensation: Penarc does not currently operate a cash bug bounty program. By submitting a report, you acknowledge that you waive any future claims for monetary compensation.

7. Our Commitment to You

When you submit a report in good faith, you can expect the following from the Penarc team:

  • Prompt Acknowledgment: We will confirm receipt of your report within 5 business days.
  • Transparency: We will validate the finding and keep you reasonably informed of our remediation timeline and any challenges that may delay the fix.
  • Appreciation: While we do not offer cash bounties, we love to recognize impactful research. For valid, high-severity vulnerabilities, we offer Penarc-branded swag (t-shirts, merchandise, or gift cards) as a token of our appreciation for keeping our platform secure.

Contact Us

If you have questions regarding this policy or are unsure if a specific testing method is permitted, please reach out to info@penarc.ai before beginning your research.